[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN101753554B - Information device with security protection capable of dynamically configuring and method for automatically configuring information device - Google Patents

Information device with security protection capable of dynamically configuring and method for automatically configuring information device Download PDF

Info

Publication number
CN101753554B
CN101753554B CN200910135011.XA CN200910135011A CN101753554B CN 101753554 B CN101753554 B CN 101753554B CN 200910135011 A CN200910135011 A CN 200910135011A CN 101753554 B CN101753554 B CN 101753554B
Authority
CN
China
Prior art keywords
security
massaging device
module
configuration
risk
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN200910135011.XA
Other languages
Chinese (zh)
Other versions
CN101753554A (en
Inventor
N·V·卡先科
A·V·季霍米罗夫
D·A·波利亚科夫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Kaspersky Lab AO
Original Assignee
Kaspersky Lab AO
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Kaspersky Lab AO filed Critical Kaspersky Lab AO
Publication of CN101753554A publication Critical patent/CN101753554A/en
Application granted granted Critical
Publication of CN101753554B publication Critical patent/CN101753554B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)
  • Information Transfer Between Computers (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention provides an information device which comprises a safety module which can be dynamically arranged. A running set value is arranged automatically and dynamically according to a risk summary message and/or a computational capability message.

Description

A kind of massaging device of the safeguard protection with capable of dynamic configuration and massaging device is carried out to the method for configuration automatically
Technical field
The present invention relates to information technology by and large, more specifically, relates to a kind of safety system for the protection of massaging device and correlation technique.
Background technology
In current personal information and the communication system world, portable information apparatus is universal rapidly, especially build the system on notebook or MIME encoding platform and be called as smart phone or personal digital assistant (personal digital assistant, PDA), super mobile personal computer (ultra-mobilepersonal computer, UMPC) or mobile Internet device (mobile internet device, MID) multi-function communication device, these devices utilize processors such as the Atom being manufactured by Intel Company or Moorestown CPU or move for example Symbian OS, the operating systems such as Windows Mobile.To the public, provide the network (for example EDGE and 3G) of open access and various WiFi network (for example network based on IEEE 801 type standards) to become very general, and its popularity is also continuing to increase.
Along with the complexity of communication system and device and the increase of communication bandwidth and data transmission rate approach tens of megabyte/seconds, the risk that user obtains rogue program and other unwelcome content accidentally is also increasing.In addition, the malicious act persons such as hacker, identity thief (identitythieves), spammer (spammer) that increases to of the popularization degree of portable information apparatus and open network encroaches on and uses the user of these technology to create increasing chance.Computer system compromised (for example virus, worm, Malware, spyware, assault) and quantity and the seriousness of unwelcome content continue to increase.
Fire compartment wall, anti-viral software, anti-spam software and other this type of security application for personal computer are well known.Yet, portable information apparatus is applied to known method and but has special challenge.The designer's of portable information apparatus system and software primary goal be make a kind of can be from arbitrary place in any city, the world in fact the device of visit information immediately.In the market of current dog-eat-dog, low profit margin, portable information apparatus must make people afford.In addition, portable information apparatus must provide great portability and availability, this mean general arrangement size must be less and the operating time must long enough (being at least about 24 hours).Performance and availability are usually and purchasing power and portable conflicting target, because battery accounts for most in overall dimension, weight and the cost of device.Performance and availability are even also conflicting, because increase processor clock speed and increase memory, are equivalent to energization demand.
All these requirements make to provide higher portable information apparatus fail safe retention, availability, portability and cost nature unrealistic simultaneously by continuing simply to enlarge markedly processor power and data storage capacity.These constraintss have proposed restriction to the design of the application program of moving on portable information apparatus especially security application again, because these application programs may need a large amount of processor resources and memory capacity.
Therefore, the effective safety measures of the unique need that is particularly suitable for meeting portable information apparatus need to be provided.
Summary of the invention
The safety that various aspects of the present invention relate generally to the configuration of a kind of capable of dynamic for massaging device arranges, wherein according to risk summary, computing capability information or simultaneously according to the two, and automatically dynamic-configuration operation set point.
In one aspect, a kind of massaging device has: computer circuits, comprise the processor that is operationally coupled to data storage; User interface, comprises display and user input apparatus; Radio communication circuit; And power supply, for described computer circuits, user interface and radio communication circuit are powered.Described power supply can comprise the veneer energy with limited capacity, for example battery.Described computer circuits comprise safe arrangement, and described safe arrangement can comprise configurable security module, risk evaluation module and computing capability determination module.Described configurable security module, according to the configuration of operation set point, provides and security-related function in described massaging device.The described risk evaluation module one group of current safety risk that described massaging device bears of reappraising.The reappraise current state of computing capability availability of described massaging device of described computing capability determination module.
In addition, security configuration module is according to from described one group of current safety risk of risk evaluation module and according to the current state of the computing capability availability from described computing capability determination module, automatically the operation set point of dynamic-configuration security module.Described security configuration module comprises configuration determination module and configuration setting module.Described configuration determination module is determined the subset of major function from one group of security-related function, when one group of current safety risk in response to from risk evaluation module, will for the subset of described major function, carry out the configuration of configuration operation set point.Described configuration setting module is set the configuration of operation set point in response to the current state of the computing capability availability from computing capability determination module; with when the subset of described main security-related function is provided; reduce the calculated load that the operation because of described configurable security module causes on computer circuits; thereby be conducive to, when providing the safeguard protection corresponding to determined one group of current safety risk by risk evaluation module for described massaging device, realize the availability of described massaging device.
In another aspect of this invention, described computer circuits comprise safe arrangement, and described safety arrangement comprises configurable security module, position determination module, summary data storehouse, position and security configuration module.Described configurable security module is conducive to provide security service in portable information apparatus, and described position determination module is in order to determine and the indication to the current location of described portable information apparatus is provided.The security risk summary info that summary data storehouse, described position comprises a plurality of localized networks that are positioned at a plurality of geographical position.Described security configuration module, according to the risk summary info corresponding to current location comprising in summary data storehouse, described position, assesses with the described indication to current location the current safety risk that described portable information apparatus bears.Described security configuration module dynamically configures described security module, is beneficial to by the security server away from described portable information apparatus location or optionally provides some security service in described security service by security module.
According to another related fields of the present invention, a kind of method arranging for the safety on configuration information device is automatically provided, the arrangement of wherein said safety is to build by computing hardware or by the combination of computing hardware and software, and described method comprises: by calculation element, automatically assess the current safety risk level that portable information apparatus bears.In response to the described assessment to described current safety risk level, calculation element is automatically assessed by the subset of the main safety function that described safety arrangement is configured, to protect described massaging device from one group of safety function.Automatically the reappraise available computing capability of described portable information apparatus of calculation element.The method further comprises: by calculation element according to the assessment of described current safety risk level and according to described computing capability is carried out to definite result; automatically dynamic-configuration arranges safely to move on portable information apparatus; thereby when being provided, described main safety function subset reduces the calculated load that the operation because of described configurable security module causes on massaging device; thereby be conducive to, when providing the safeguard protection corresponding to current safety risk level for massaging device, realize the availability of massaging device.
Another aspect of the present invention relates to a kind of for automatically configuring the method for the security module on portable information apparatus, and the arrangement of wherein said safety is to build by computing hardware or by the combination of computing hardware and software.Described portable information apparatus is automatically determined its current location, and maintenance position summary data storehouse automatically, the security risk summary info that summary data storehouse, described position comprises a plurality of localized networks that are positioned at a plurality of geographical position.Described device is according to the risk summary info corresponding to described current location comprising in summary data storehouse, described position, its current safety risk of bearing of automatically reappraising, and according to described current safety risk, automatically reconfigure described security module, so that described security module is convenient to by the security server away from described portable information apparatus location or is optionally provided security service by described security module.
Some aspect of the present invention is applicable to solve the peculiar challenge of portable information apparatus (for example challenge mentioned above) and other challenge that particularly designer of small hand-held formula portable unit faces.Other side of the present invention is applicable to general massaging device, and regardless of the portable degree that is described device, also no matter described device is main battery-powered or powered by power line.Therefore, each aspect of the present invention is applicable to notebook and desktop PC, and other product or equipment that utilizes safety to arrange.For simplicity's sake, hereinafter described the embodiment of the present invention is to describe in portable information apparatus context.However, it should be understood that the combination that is suitable for the feature of dissimilar product by selection, various aspects of the present invention also can be accomplished and be applicable to being applied to device, system and the equipment of other type.
By the below detailed description to preferred embodiment, it is very clear that plurality of advantages of the present invention will become.
Accompanying drawing explanation
Read by reference to the accompanying drawings the below detailed description to different embodiments of the invention, can more thoroughly understand the present invention, in accompanying drawing:
Figure 1A is for showing portable information apparatus (portable information device; The calcspar of main outer member PID), according to the present invention, the arrangement of the safety of each side can be applicable to described portable information apparatus;
Figure 1B is for showing the calcspar of the main inner member of portable information apparatus shown in Figure 1A;
Fig. 1 C shows the system architecture that comprises safety measure, and described safety measure is not subject to full spectrum of threats for the protection of client apparatus;
The schematic diagram that the operation that Fig. 1 D is the client apparatus that used in not shielded network by user arranges;
Fig. 1 E is for showing the graphic of common risks sight, and wherein the user of client apparatus its data that are uncertain about are protected completely;
Fig. 2 A is for according to an aspect of the present invention, the machine security module of moving on portable information apparatus graphic;
Fig. 2 B illustrates graphic according to the security module of one aspect of the invention, and described security module comprises application layer protection, wherein can adjust configuration according to the application program of portable information apparatus;
Fig. 2 C and 2D show a kind of configurability type arranging according to the safety of the embodiment of the present invention, wherein can, according to the configuration with portable information apparatus or the relevant various factors of running status, dynamically configure thin client configuration and fat client configuration;
Fig. 2 E shows communication channel according to an embodiment of the invention, and described communication channel is conducive to move thin client or mixed security arrangement, in mixed security arranges, by telesecurity server, carries out most of security-related functions;
The calcspar of Fig. 3 A for showing that safety arranges according to an embodiment of the invention, wherein can be according to the current location of portable information apparatus, and automatically configuration is present in the configurable security module on described portable information apparatus;
Fig. 3 B shows the example in the summary data storehouse, position of using together with the arrangement of safety shown in Fig. 3 A according to an embodiment of the invention, the record that described database comprises different location or geographical position, described place or geographical position are to identify according to its comparatively safe or dangerous degree with safety or threat level;
Fig. 4 A, for showing arrange according to a kind of safety of embodiment type graphic, wherein can, according to the current computing capability of the current safety summary of portable information apparatus, portable information apparatus or simultaneously according to the two, automatically configure security module;
Fig. 4 B shows according to an embodiment, the exemplary arrangement of the risk evaluation module that shown in Fig. 4 A, safety arranges;
Fig. 4 C shows according to an embodiment, the exemplary arrangement of the computing capability determination module that shown in Fig. 4 A, safety arranges;
Fig. 4 D and 4E are for showing different embodiment according to the subject invention, the form of the data acquisition system example comprising in the device information database as a computing capability determination module part;
Fig. 4 F is form, its representative according to one of one aspect of the invention group the example of definite portable information apparatus Configuration Type;
Fig. 5 is flow chart according to an embodiment of the invention, and it shows for determining the decision process of the type of the security threat database update that will carry out; And
Fig. 6 is flow chart according to an embodiment of the invention, and it shows the simplified example of how selecting different security configurations according to the remaining power life-span.
Although the present invention easily has various modifications and alternative form, be to show and also describe hereinafter its detail in detail with way of example in the accompanying drawings.However, it should be understood that it is not that the present invention is defined as to described specific embodiment.On the contrary, the invention is intended to contain and belong to the spirit of the present invention that defined by the claims of enclosing and all modifications form, equivalents and the alternative form in scope.
Embodiment
Figure 1A shows exemplary portable information apparatus (portable information device; PID) 10 calcspar.Portable information apparatus 10 can be that smart phone, PDA, UMPC, MID or any other little lightweight are calculated and communicator.Portable information apparatus 10 comprises compact shell 12 and user interface, and its housing 12 is small enough to make this device easily to carry, and described user interface comprises display 14 and user input apparatus, and for example keyboard 16.Portable information apparatus 10 can have touch-screen (touchscreen) display that display and user input apparatus are combined.
Figure 1B further shows the calcspar of other function element of portable information apparatus 10.Portable information apparatus 10 further comprises the computer circuits (for example processor 20) that carry out interface with data storage, and wherein said data storage has RAM 22a and nonvolatile memory 22b.Processor 20 also carries out interface with the radio communication circuit 24 that is coupled to antenna 26, and radio communication circuit 24 can be the form of mobile phone radio (CDMA, GSM, Iridium etc.), Wi-Fi, bluetooth (Bluetooth) or any other this kind of telecommunication circuit.Should be understood that processor 20 and user interface device carry out interface, and carry out interface with any other ancillary equipment that can form a part for portable information apparatus 10.Portable information apparatus 10 also comprises the power supply 28 of (the on-board energy source) 30 that have the veneer energy, and for realizing real portability and move operation, wherein the veneer energy 30 is illustrated as the form of battery in Figure 1B.All elements that power supply 28 is portable information apparatus 10 from the energy 30 provide suitable power supply, and comprise for providing external power source with operation portable information apparatus 10 and the circuit to the energy 30 chargings.
Although current actual device is often mainly utilized some technology, the for example microcontroller based on CMOS, DRAM, flash non-volatile memory, frequency communication devices, energy storage batteries etc., yet should be understood that the present invention never only limits to any specific one group of technology.Some aspect of the present invention relates to the challenge that solution small sized personal calculates and communicator usually faces, regardless of its concrete framework or technology, in these small sized personals calculating and communicator, between performance and user's experience and energy requirement, portability and size, can there is intrinsic trading off.
When as data communication equipment, mancarried device (for example portable information apparatus 10) links to mainframe network conventionally, and mainframe network is again by providing connectivity such as wide area networks such as internets.The operation of mainframe network Ke You cellular telephone services provider, as in the situation at smart phone type 3G device.The common mainframe network of other type can comprise (the Internet Service Provider by ISP; ISP) be connected to local area network (LAN) (the local area network of internet; LAN) the IEEE 802.11Wi-Fi focus (hotspot) on.Mancarried device also can be connected to form mesh network (mesh network) with other device.Type of arrangement regardless of mainframe network, wherein making portable information apparatus utilize any layout of any any service from another calculation element (for example Internet connection) is all that client-server is arranged, wherein portable information apparatus is client computer, and the calculation element that service is provided is server.
Fig. 1 C shows the system architecture that comprises safety measure, and described safety measure is not subject to full spectrum of threats for the protection of client apparatus 150.Server 100 is controlled the flow that for example, flow to network 140 from external network 110 (internet).Client apparatus 150 represents any in various portable information apparatus.The various application programs 160 of client apparatus 150 operation.The various application programs 130 of server 100 operation, to support or to be conducive to the operation of client applications 160.An example of application program 130 is web server application program.Except for supporting or being conducive to realize the server application of major function of client applications, described server also has security application.Supervisor console 120 provides keeper access, with Control Server application program 160 and change different application setting values.Supervisor console 120 has graphic user interface (the graphicaluser interface of himself; GUI), so that server administrators can adjust server application 160 in real time.By control desk 120 is provided, keeper can be controlled at security application and other the various application programs of moving on server simultaneously.
Fig. 1 D is the schematic diagram that the operation of the client apparatus 200 that used in not shielded network 210 by user arranges.The various client applications 240 of client apparatus 200 operation.When the user of client apparatus 200 attempts in coffee-house, hotel, airport or other public place access the Internet or attempts to load software upgrading in this kind of place, can there is this kind of arrangement.
Traditionally, need to provide for client apparatus 200 security application 230 of himself.Utilize supervisor console 220, the needs that the user of client apparatus 200 can understand according to user are adjusted the set point of security application 230, to set protection class.For example, when user is connected to internet by public network, user can think that enhancing will be more appropriate as the positive property of the anti-virus scan program of security application 230 parts.This kind of arrangement is that operation thinks that client applications 240 provides the example of the fat client computer security application of protection in client apparatus 230 the machine.
The challenge that this kind arrangement faces is that the required insufficient system resource of operation client applications 240 can limit fat client computer security application 230.Similarly, the consumption of the required computational resource of security of operation application program 230 can limit client applications 240.Even when computational resource is sufficient, because focusing on security application 230 and client applications 240 the two battery consumption that cause also can significantly reduce mobility and the availability of portable information apparatus between twice charging.For these and other reason, traditional fat client computer arranges safely to substitute global safety arrangement completely, for example, above with reference to the safety described in Fig. 1 C, arrange.
Fig. 1 E is show the sight that is uncertain about the user of client apparatus wherein its data are protected completely graphic.User may be sure of that home network and job network can benefit from security server (for example fire compartment wall in mainframe network); but in other place; user's device can be subject to the destruction of assault or unknown program; thereby may break through any unsubstantial fire compartment wall or other safety measure on user's set, so user cannot similarly be sure of that its data are protected completely.
Fig. 2 A is for according to an aspect of the present invention, the machine security module 300 of moving on portable information apparatus graphic.Term used herein " module " means real world device or element, and it is to use constructed in hardware, for example, use field programmable gate array (field-programmable gate array; FPGA) application specific integrated circuit (application specific integrated circuit; ASIC) build and to form, or be built as the combination of hardware and software, for example, use microprocessor system to form for building the instruction structure of security module function with one group.Module also can be built as the two combination, and wherein some function is realized by hardware, and other function is by the hardware and software realization that combines.In certain embodiments, at least a portion of module (can be in some cases whole module) can be used for upper execution of portable information apparatus processor (for example processor 20 of portable information apparatus 10) of executive utility.Correspondingly, security module 300 can be embodied as various configurations, and should not be limited to illustrated any specific embodiments herein.
Security module 300 is carried out the combination in any of one or more security-related functions, for example, stop unwelcome content 302, detect/clean (scrub) unwelcome content 304 and offset threat 306.These security-related functions are only explained with way of example hereinafter roughly, but not want as the safety function list essential or exhaustive being applicable in the spirit of the present invention of security module 300.Can there are various other security-related functions, to augment or to replace illustrated any function herein.
Stop unwelcome content 302 to be for example included in, for example, before unwelcome content (virus, worm and other Malware, ad ware, spyware, spam etc.) and undesirable data traffic (assault) can be placed on this machine, stop any these threats or program.Conventionally, this function relates to and in fire compartment wall, stopping or transferring content or data traffic.Detecting/clean unwelcome content 304 may penetrate described prevention function and now with certain form, reside at the content on this machine being applicable to.The representative instance of this function will comprise: according to virus definition scan database virus, and to the isolation that removes or quarantine of those program command or related data.Offset to threaten 306 to be applicable to the detected ongoing attack or the threat that perhaps detected in unwelcome, and comprise and take measures to stop any program of being accused of or process, stop network traffics and restore the system to last known safe condition.
Security module 300 comprises various elements, for example fire compartment wall 308, message filter 310, anti-malware/ad ware stop/removing tool 312 and system backup/recovery utility 314.These elements can various combination form be worked, to realize the difference in functionality of security module 300.
In one embodiment, security module 300 is conducive to realize the configurability of its function.For example, a kind of configurability type is to be optionally switched on or switched off indivedual elements or function.Another configurability type is dynamically to adjust the operation of discrete function or element.For example, in one embodiment, can adjust according to Systems Operator's needs the operation set point of fire compartment wall 308, so that level of protection is set for, have more or more do not there is positive property.
In another example, anti-malware/ad ware element 312 is adjustable.Anti-malware/ad ware element 312 has known threat definition database, for scan data memory, whether has any known threat.In one embodiment, can, according to system or user's needs, limit or expand this threat definition database additionally to threaten to define.
In related embodiment, can not adjust various other operation set points of security module 300 with automatically (not needing user intervention).Each aspect of the present invention is recognized, the difference operation set point of the various different safety functions of capable of regulating or element, but not only limit to example as herein described.
Fig. 2 B illustrates the security module that comprises according to an embodiment of the invention application layer protection, wherein can adjust configuration according to the application program of portable information apparatus.Application filters device 320 and fire compartment wall 322 obtain the information about the operation of the machine system from different osi model layers.Engine 3 24, in the auxiliary lower operation of invasion descriptive data base 326, to isolate known threat or attack, and is analyzed the flow of inputting.In an embodiment of invasion descriptive data base 326, with XML form, represent the description to threatening.Each threatens description 328 can comprise various data entries, for example the type of application program, its version, the registry key being associated with this application program, pregnable port etc.For each, threaten and describe, utilize described various data entries to set up special rule, for monitoring and filter the network traffics of inputting.Due to for concrete threat, thereby these rules can be adjusted, to tackle the attack of some type or for special application.
Engine 3 24 and two information channels communicate coupling: application state information 328 and connection state information 330, these two information channels are coupled with application filters device 320 and fire compartment wall 322 respectively again.When setting up a network connection, or when application program 335 is brought into use particular port, engine 3 24 just judges whether to have according to the content of database 326 any larger possibility that has any known threat.Any threat identifying is in this way all by a relatively little but subset for height correlation more that forms available known threat.Therefore, can analyze practically and follow the tracks of this little subset.
Be in operation, fire compartment wall 322 is only tackled the sub-fraction of total data flow, because connection state information 330 has mainly comprised communication protocol and relevant information, and Internet Control Message Protocol (Internet ControlMessage Protocol for example; ICMP) order.Most potential threat still needs more thorough analysis and about these threats and the more details on the impact of its target computer system thereof.Therefore the information, only obtaining by analysis ICP/IP protocol is not enough to the protection class that provides healthy and strong.
In application layer, special filter 320 makes threat analysis to be concentrated on the known one group of concrete leak of each application program 335.Flow between the 320 interception TCP/IP services 332 of application filters device and communications protocol layers 334.The flow of tackling is analyzed respectively for each application program by engine 3 24.In one embodiment, safety system is identified used application program (for example MS Outlook Mobile).In related embodiment, system according to the port of use just and just the type of the data communication protocol of use determine the type (such as web browser, game etc.) of active application program.Thus, system is known the type of concrete active application program or application program used.Utilize this kind of information, system is chosen as current application program or the movable appropriate protection scheme customizing.Thus, system only concentrates on secure resources the one group of relatively little rule being associated with the exposure of the concrete application program of current operation and threatens and describes 326.
Fig. 2 C and 2D show a kind of configurability type arranging according to the safety of the embodiment of the present invention.Can be according to the configuration with portable information apparatus 10 or the relevant various factors of running status, dynamically configuration is shown in thin client configuration and the fat client configuration in Fig. 2 C and 2D, and this will be described in more detail hereinafter.The capable of dynamic configurability that these embodiment provide makes it possible to the safe class that keeps enough, makes user's set have better calculated performance or better mobility or have the two simultaneously simultaneously.Therefore, no matter user can be connected to network wherein, with keeping be sure oing having suitable security configuration per family.If user's set is arranged in the specific local network of known safe, select wherein to rely on shown in Fig. 2 C that is present in the security application in LAN server and configure.In this kind of situation, user's set will adopt thin client security configuration, to alleviate the security-related calculated load acting on completely on server.In this kind of thin client configuration, user's set has the computational resources that can be used for moving common applications (non-security application program) more, thereby obtains better performance and energy economy.
On the contrary, if determined user's set, by still knowing the local area network (LAN) with safe enough, be not connected to internet, select the configuration of Fig. 2 D.Arrangement shown in Fig. 2 D has the security application moving in user's set the machine with fat client configuration.Although user's set will reduce for the calculated performance of non-security application program, yet the fat client computer shown in Fig. 2 D arranges safely to provide enough fail safes in the situation that not there is not protected network.
In related embodiment, the thin client/fat client computer that can be configured to mix arranges safely, wherein some safety function is offloaded to server, carries out other safety function in portable information apparatus the machine of user simultaneously.For example, in this kind of mixed configuration, the fire compartment wall that portable information apparatus 10 operation one functions lower, this fire compartment wall is controlled the network traffics of output data and is stopped all unwarranted input flow rates, but does not bear the task of having or not potential harmful data payload (payload) in the authorized input flow rate of scanning.In this mixed configuration example, security server is born all the other firewall functionalitys that need to carry out intensive calculations that have or not potential threat and these threats are reacted in scan-data communication.
Fig. 2 E shows communication channel according to an embodiment of the invention, and described communication channel is conducive to move thin client or mixed security arrangement, in mixed security arranges, by telesecurity server, carries out most of security-related functions.The user that this kind of arrangement can be used for client apparatus 350 is wherein away from security server 352 location but wish to utilize in the situation of its resource.Similarly, this kind of arrangement can be used for wherein user's request or the requirement of client apparatus 350 to be used in the situation of remote security system, and in this kind of situation, protected network 352 will be carried out the various safety functions that are conducive to client apparatus 350.Of the present invention in this respect in, be connected with the safety of security server 352 and comprise VPN (virtual private network) (virtual private network; VPN) connection 354 and extra encryption connection 356, wherein VPN connection 354 is embedded in this extra encryption connection 356.In the embodiment of a type, for example, according to known client identifier (user's personal data or exclusive hardware parameter), realize and encrypting.User can be pre-created the various parameters that are encrypted according to this, before user wishes to use safety connection, creates.At client apparatus 350, be connected after foundation with the safety between security server 352, the user of client apparatus 350 is resource or its outside connection 358 of access security server 352 safely.Outside connect 358 can be Internet connection or with certain being connected between other common unsafe network, on security server 352, the protection software of operation can make the described connection safety that becomes.In related embodiment, encryption connection 356 monitoring VPN connect 354 integrality, and when this monitoring results detects described connection for any former thereby unexpected termination, take measures to recover described connection.
When and how another aspect of the present invention relates to structure and about, for portable information apparatus, automatically configures the decision criteria of safety arrangement.Can, for example by the layoutprocedure of operation on portable information apparatus 10, in the machine, set configuration.Or, can for example by telesecurity server, remotely set configuration.At one, wherein in the machine, set in the embodiment configuring, the task of the security configuration module of moving in the machine of portable information apparatus 10 is determine when configuration or reconfigure security module and set up which kind of operation set point.Security configuration module can receive, monitor or otherwise obtain about following information: the running status of system configuration, portable information apparatus 10, the relevant historical of portable information apparatus 10, global safety situation information, user preference or their combination.This information then again will be for configuring security module automatically.System configuration data can comprise the list of type of device, processor speed, memory size, processor bus speed, battery capacity, institute's set up applications and the list of the frequent application program of using.
Remotely carry out therein in the embodiment of security module configuration, portable information apparatus 10 foundation are connected with telesecurity server, and system configuration, running status, relevant historical, global safety situation information, user preference data etc. are transferred to server.Server receives and analyzes transmitted data, and beams back for adjusting the order of the configuration set point of security module to portable information apparatus 10.
Running state data can comprise following: for example list of the application program of the provider location of portable information apparatus 10, network traffics speed, network traffics total amount, remaining battery capacity, institute's memory allocated amount, current operation or processor free time.The relevant historical of portable information apparatus 10 comprises following: for example detect nearest history, the Internet packets survey meter (Ping) higher than normal frequency of originating from the unknown of attacking or connect attempt etc.These can be relevant to positional information.Global safety situation information can comprise the current overall status of for example existing threat.For example, pattern of the server failure popular, that caused by Denial of Service attack (denial-of-service attack) of specific worm etc. will be tending towards improving overall threat level.For example, the information of this type is continued to monitor by security firm, and can in security update process, offer portable information apparatus 10.User preference can comprise following: for example customer-furnished risk tolerance is inputted or performance requirement.
The calcspar of Fig. 3 A for showing that safety arranges according to an embodiment of the invention, wherein can be according to the current location of portable information apparatus 10, and automatically configuration is present in the configurable security module 400 on portable information apparatus 10.Security module 400 comprises fat client computer security 402 and thin client security 404.Fat client computer security 402 is with the similarity of security module 300 mentioned above, and it can comprise various safety functions and element, and wherein each safety function and element all can configure separately or adjust.Thin client security 404 includes the measure being connected 406 realizing with telesecurity server that is beneficial to, this comprises the module of the network address that disposes different security servers, and described module construction is for being connected to or utilizing any one logic of telesecurity server.The embodiment of one type utilizes the tunnel of encryption to connect, for example, above with reference to the connection described in Fig. 2 E.Thin client security 404 also comprises task coordinate measure 408, and it is conducive to realize the information exchange between fat client computer security 402 and telesecurity server.The role of task coordinate part 408 is also included in and adopts mixed security arrangement so that some part of fat client computer security 402 is guaranteed correct overall operation during with telesecurity server collocation operation by thin client security 404.
The arrangement of the safety of Fig. 3 A further comprises security configuration module 410, and security configuration module 410 is carried out interface with security module 400 and set up or adjust the configuration of security module and move set point according to various inputs and according to decision criteria 412.The input of one type is the current location of portable information apparatus 10, and it is provided by position determination module 414.Position determination module 414 is determined in real time or is estimated simply where portable information apparatus 10 is positioned at or which localized network portable information apparatus 10 may be used be connected to internet.In this kind of embodiment, position determination module 414 comprises global positioning system (global positioning system; GPS) receiver, to determine provider location.In related embodiment, position determination module 414 utilizes network topology analyzer to analyze packet, to infer portable information apparatus 10 can rely position or the network identity of the localized network that communicates.The character of the positional information that these two kinds of methods provide is different, so the use that can mutually combine of these two kinds of methods, to produce the better estimation to position used or network.In another related embodiment, position determination module 414 comprises user interface elements, to allow the user of device to input its position.User interface input can be determined and be combined with GPS location or network topology, to finely tune described position or network identity.For example, can provide two or three possible options to user, to select according to this network used, these options are automatically to produce according to the information of inferring by other location determining method.
Can in the spirit of each side of the present invention and scope, determine by different way the position of client apparatus.All multiple other are widely known by the people for determining the technology in the geographical position of interconnection device, and can utilize any suitable technology.
Security configuration module 410 utilizes station location marker to determine the security risk summary of current location.According to security risk summary, configuration module 410 utilizes decision criteria 412 to set the configuration that is suitable for security module 400.Summary data storehouse, security configuration module estimation position 416, to search current location from being arranged in the list of the localized network of diverse geographic location.
The example in Fig. 3 B display position summary data storehouse 416, the record that described database comprises different location or geographical position, described place or geographical position are to identify according to its comparatively safe or dangerous degree with safety or threat level.For example, in the situation that user is concerned about, known some place (for example, in the arrangement of Figure 1A) on server with good network fail safe can be represented as has " safety " state.In one embodiment, the record that database comprises point from all parts of the world.User's copy of this database can be maintained on portable information apparatus 410, wherein whenever client apparatus communicates Shi Junke with the security system server of safeguarding master's (up-to-date) version of this database, is automatically upgraded.Or the addressable telesecurity server of security configuration module 410, to inquire summary data storehouse, position 416.Can classify in the place being stored in database as shown in the embodiment of Fig. 3 B: it is safe being identified; It is safe by user, being specified; May be safe; And may be unsafe.In another embodiment, can utilize for determining that the combination of different technologies of the position of portable information apparatus 10 confirms " safety " state and break through the attempts such as position deception (spoofing).Can utilize various other safe class classification or marks.
In related embodiment, system support defines the dependable condition of safe condition.Therefore, user can carry out security evaluation from row according to its observation and according to the information comprising in database.In another related embodiment, client apparatus, in order to after being connected according to the nearest security server of the security application of the embodiment of the present invention with operation, refreshes its location database.
Fig. 4 A, for showing arrange according to a kind of safety of embodiment type graphic, wherein can, according to the current computing capability of the current safety summary of portable information apparatus 10, portable information apparatus 10 or simultaneously according to the two, automatically configure security module.Described arrangement comprises above with reference to the configurable security module 400 described in Fig. 3 A, configurable security module 400 can be configured to thin client mode, fat client mode or mixed mode, and optionally enables or forbid various safety functions or element or dynamically adjust various operation set points.The configuration of security module 400 or adjustment are to be carried out by security configuration module 450, security configuration module 450 can be present in portable information apparatus 10 the machine together with security module 400, or can be away from portable information apparatus 10 and by access to netwoks security module.
Security configuration module 450 comprises configuration determination module 460 and configuration setting module 465.Configuration determination module 460 comprises decision criteria, which for reading and process from least one input of risk evaluation module 470, computing capability determination module 480 and user's input module 490, to judge, be applicable to security module 400 to set configurations or operation set point.Configuration setting module 465 is set determined configuration or operation set point then in security module 400.
In one embodiment; the operation set point of the configuration setting module 465 configuration security modules 400 of configuration determination module 460 and security configuration module 450, object be alleviate calculated load that the operation because of configurable security module 400 causes on computer circuits, simultaneously maintain safe class with for by security configuration module according to protecting from the determined security risk of input of risk evaluation module 470.
In this kind of method, configuration determination module 460 is maintained in the system of available security-related function in security module 400.This security-related ergasia is according to being sorted by the determined one group of current safety risk of risk evaluation module 470.Therefore, in this embodiment, this system arrangement is dynamic; Although in more basic embodiment, also can utilize the static system arrangement of security-related function.This system is according to protecting required importance to sort for one group of current safety risk.For example, in runs web browser program but do not move in the portable information apparatus 10 of Email client, for keeping preventing from being subject to possible security threat, for example message screening function is even more important for fire compartment wall and anti-malware/ad ware function ratio.
In related embodiment, the importance of function is by thinner granularity division grade, wherein can change the operation set point of other security-related function of each grade.For example, can adjust anti-malware/ad ware function, to protect for the specific threat being associated with the current application program of just carrying out, rather than for all known threats, provide the protection of wider scope in portable information apparatus 10.
In one embodiment, configuration determination module 460 is according to derive or select the system order of security-related function from one group of current safety risk of risk evaluation module 470, and according to by the determined current computing capability of computing capability module 480, from this system, further select the subset of major function.Thus, available computing capability is larger, generally can provide more safety functions; Yet under the condition reducing in computing capability, safety is restricted to only some key character.Correspondingly; according to environment and dynamic constraints fail safe intelligently; making to configure setting module 465 sets and moves set point for security module 400; thereby when the subset of main security-related function is provided; reduce the calculated load that the operation because of security module 400 causes on computer circuits; thereby be conducive to, when providing the safeguard protection corresponding to one group of current safety risk for portable information apparatus 10, realize the availability of portable information apparatus 10.
In related example, when computing capability reduces gradually-when the battery of portable information apparatus 10 exhausts because of use, be this kind of situation, configuration setting module 465 is by the order from less important function to main function, little by little forbid security-related function, to be kept for the computing capability of the non-safety function of portable information apparatus 10.
In different embodiment, risk evaluation module 470 obtains in order to determine the information of current risk summary.Fig. 4 B shows an example, and wherein risk evaluation module 470 is carried out interface from several different risk relevant informations source.In the example shown, risk evaluation module 470 communicates with position determination module 414 and location database 416 (the two is all illustrated above), to obtain information the definite corresponding safe class being associated with current location about current location.In this example, risk evaluation module 470 is also carried out interface with security server link block 500, so that risk evaluation module 470 obtains security-related information by network.The example of this kind of information comprises about the information of general threat level and when being combined with position determination module 414, about the information of the peculiar threat level of current location.
One group of current safety risk that risk evaluation module 470 assessments and the portable information apparatus 10 of reappraising bear.In a kind of arrangement, risk evaluation module 470 is periodically carried out and is reappraised, for example, with certain predetermined time interval execution, reappraise.In another kind arranges,, in response to the appearance of some event relevant to risk assessment, for example, when opening new Application Instance, execution is reappraised.In related embodiment, both periodically carried out, and also in response to event, carried out and reappraise.In the embodiment of this type, periodically reappraise that some can not be tending towards the risk sign of frequent variations, for example current threat level sign; And other security risk sign, network traffics total amount for example, be tending towards because of operational mode or on portable information apparatus 10 variation of the application program of operation sharply change.
In one embodiment, application program analysis module 510 checks the registration of the operating system of portable information apparatus 10, to determine which application program is installed on this device.According to this kind of information, risk evaluation module 470 combines with application program analysis module 510 and just can determine the concrete leak of portable information apparatus 10.Such as application programs such as web browsers, the leak summary that is different from email application for example or electrical form will be there is.In related embodiment, application program analysis module 510 checks current used application program, and this subset is less than all installed application programs.Therefore, in one embodiment, according to currently used application program, determine, risk summary sign can temporal evolution.
Security history module 520 provides about reflecting the information of the security-related up-to-date event of current threat level.For example, if fire compartment wall has detected frequency that unknown devices attempts to access portable information apparatus 10 higher than normal frequency, this can be the sign that intrusion risk increases.Also diverse location event history can be associated with positional information, so that can have different relevant historical.Therefore,, if user is carried to new position by portable information apparatus 10, will check the relevant historical of this position.
Refer again to Fig. 4 A, computing capability determination module 480 provides the information about the systematic function of portable information apparatus 10, for security configuration module 450, uses.This kind of information makes security configuration module 450 can select to be suitable for the configuration of configurable security module 400, thereby can be because of the operation of the safety system burden of heavy system performance exceedingly.In the embodiment of a type, the computing capability information that security configuration module 450 provides computing capability determination module 480 is considered together with risk summary info, to realize appropriate balance between the performance requirement at portable information apparatus 10 and demand for security.
The current state of the computing capability availability of 480 assessments of computing capability determination module and the portable information apparatus 10 of reappraising.In a kind of arrangement, computing capability determination module 480 is periodically carried out and is reappraised, for example, with certain predetermined time interval execution, reappraise.In another kind arranges,, in response to the appearance of some event relevant to computing capability, for example, when opening new Application Instance, execution is reappraised.In related embodiment, both periodically carried out, and also in response to event, carried out and reappraise.In the embodiment of this type, periodically reappraising, some can not be tending towards the computing capability sign of abrupt change, for example battery capacity; And other computing capability sign, available memory for example, be tending towards because of operational mode and on portable information apparatus 10 variation of the application program of operation sharply change.
Fig. 4 C is presented in an example embodiments, several examples of the input type that computing capability determination module 480 receives.Input 540 is type of device designators, and it is portable information apparatus 10.Computing capability determination module 480 is accessible devices information database 545 also, and device information database 545 can reside in portable information apparatus 10 the machine or away from portable information apparatus 10, and the performance metric of the classification that comprises various type of device.Because type of device can be static data entries in many situations, thereby can in being installed on to the process on portable information apparatus 10, safety arrangement determine this information.Fig. 4 D is the form of one group of data of the exemplary that comprises in display device information database 545.Size of display, processor type, data storage type and size, battery capacity and measure of communication are conducive to estimate the performance characteristics of each device, comprise the consumption speed of battery.The information that the Systeminfo utility program for Windows XP of another example Shi You Microsoft company of the data in device information database produces.
Fig. 4 E is another embodiment of one group of data comprising in device information database 545, wherein for the device of each type is given predetermined performance score or a rank.According to this performance class, can determine specific Configuration Type, as shown at Fig. 4 F.According to different embodiment, in foundation in the installation process that the Configuration Type shown in Fig. 4 F can arrange in safety, the renewal process in this installation, set up or dynamically set up.The embodiment of capable of dynamic configuration can be suitable for wherein can having the situation of upgradability or extendibility, for example, for example, in thering is expansion storage card slot (MicroSD) device, or for can be by the user installation device of high-capacity battery more.
Refer again to Fig. 4 C, processor monitor 550 provides the indication about the load on the processor of portable information apparatus 10, and provides corresponding input to security configuration module 450.In one embodiment, the time ratio of processor monitor 550 measurement processor in idle condition.For example, some processor utilizes the pattern that reduces clock speed in its idle condition, for example, be derived from Intel Company
Figure G200910135011XD00171
feature or be derived from Cool ' the n Quiet of AMD tMfeature.In an embodiment of the present invention, can monitor the operation of these patterns and utilize its measuring as processor load.Processor load is a kind of indication type of the working strength that just standing of portable information apparatus 10.This information contributes to determine portable information apparatus 10 and except processing other application program that can cause processor load, also processes the ability of the operation of security module 400.In a similar fashion, memory monitor 560 monitoring memories distribute also provides corresponding input to security configuration module 450, and wherein memory distributes and is system loading and measures for another of the capacity of security of operation module 400.In the relatively high situation of the load of the storage resources of processor and portable information apparatus 10, configuration module is the function (if in the situation that considering current risk summary and user's defined tolerance, do not do so and can conflict with demand for security) to security module 400 configuration reductions temporarily.
Network traffics total Amount Monitoring device 570 provides input to security configuration module 450, to indicate the current state of the network traffics of turnover portable information apparatus 10.The network traffics of inputting and exporting can provide the information about the character of the current application of portable information apparatus 10.As directly measuring, the available communication bandwidth that the configuration of some type of network traffics total amount indication security module 400 may need.As indirect measurement, the working strength that the ratio of the main direction of network traffics total amount and data flow and input data total amount and output data total amount can indicating user and corresponding device performance requirements.In one embodiment, as judgement, be that security module 400 is configured to thin client mode or a part of moving with fat client mode, the input that security configuration module 450 is considered from network traffics total Amount Monitoring device 570, wherein the required communication bandwidth of thin client mode is greater than fat client mode.
Battery capacity indication 580 provides battery status information to security configuration module 450.Battery status can be indicated the information about computing capability limit, even because processor, memory and communication bandwidth can be enough to support healthy and strong security configuration, the calculated load of security module in that configuration also need to be more high-power.At portable information apparatus 10, exist the situation of limited energy reserve can require security module 400 to be configured to reduce the operational mode of loading.
Refer again to Fig. 4 A, security configuration module 450 can further receive input from user's input module 490, so that the user of portable information apparatus 10 can provide its preference for considering when configuring security module 400.In one embodiment, user's input module 490 provides the sliding shoe (slider) that can be operated by user or other control device intuitively by user interface, so that user can be used to select to bias toward fail safe or bias toward performance.For example, need to be at browse network or need to move reposefully the application program with numerous pictures time, user can be set as biasing toward performance by controlling sliding shoe very peremptorily of the set moment user.In related embodiment, user's input module 490 provides user to control, and is beneficial to also optionally close other background program after can being closed to carry high performance safety element.User, want to access in another situation of personal information or Financial Information, user can set control sliding shoe for indication and bias toward fail safe.
Each aspect of the present invention imagination, security configuration module can be programmed any suitable decision logic, to determine the configuration set point of security module 400 according to its received various inputs.And, can select or go out decision logic by the derivation of equation according to type of device.For example, with have more powerful processor and more the notebook type device of large memories compare, there is the more positive responding ability that decision-making summary that the intelligent telephone equipment of less computational resource and less communication bandwidth has can support to bias toward retention.
Also dissimilar device can be configured in a different manner similar situation be reacted.For example, the input of security configuration module 450 therein shows to reduce in the situation of the calculated load that causes because of security module 400, and device A can preferentially fade to thin client configuration from fat client configuration, usings as the initial response to this situation; And device B can preferentially reduce the function of security module 400 when security module 400 remains in fat client mode.
In the embodiment of a type, security configuration module 450 is programmed, with according to representing that the multivariable input of security risk summary and computing capability and user input set point and come calculated performance-risk vectorial, thereby in the security risk protection that suitable grade is provided, balance keeps the needs of the performance of portable information apparatus 10.Each variable in described multivariable input can be endowed different weights, so that corresponding input has larger importance in formula.In an example embodiments, some variable is weighted by following order (from weight limit to minimal weight):
Running down of battery;
User preference;
Position;
Existing application;
Network traffics; And
Current overall safety threatens.
In another example how utilizing about security configuration module 450 from risk evaluation module 470 and the input of computing capability determination module 480, Fig. 5 shows according to one embodiment of the invention for determining the decision process of the type of the security threat database update that will carry out.In 600, application program analysis module 510 detects and is present in the institute's set up applications on portable information apparatus 10.In 610, according to this list, application program analysis module 510 is more selected new option from three: option 620 will only describe to configure threat data storehouse with the more new threat of institute's set up applications.Option 630 becomes to comprise that by database configuration the threat being associated with institute set up applications adds the description of other threat being associated with the application program with similar characteristics.For example, at Mozilla Firefox, be in the situation of institute's set up applications, option 630 comes more new threat to describe the threat to be associated with general networking browser program.Option 640 has acquisition the complete configuration of all known threats definition, as do not comprise conventional security for reducing the measure of its general function arrange in.In one embodiment, according to by the determined computing capability of computing capability determination module 480, according to processor and memory capabilities and optionally according to current load condition, from these three options, select.In related embodiment, current battery life can be the factor that determines the renewal of which kind of type of execution.
Fig. 6 is flow chart, and it shows the simplified example of how selecting different security configurations according to the remaining power life-span.When the remaining power life-span, along with the use of portable information apparatus 10, from height, drop to when low process shown in sequentially following.Generally speaking, first forbid unessential safety function, and finally forbid main safety function.In the example of Fig. 6, in 700, first forbid the supervisor console of the safety system of operation on portable information apparatus 10.Because supervisor console is user interface, himself does not carry out safety function, so it is to system resource formation load, and this kind of load is pure expense.
In 710, described system judges whether to exist with any of telesecurity server and shows with communicating by letter.If existence now with communication, shows security module and moves to depend on to a certain extent the configuration of security server.In this kind of situation, skip in 720 being conducive to be connected to the forbidding of the coded communication channel of server.On the contrary, if security module is not communicating with security server, can in 720, forbid encrypting module.In 730, whether systems inspection location positioning function can be moved.If can move (not disabled), make the related management function of location database keep moving, to support location-based configurability function.If location positioning function is not used, disabled position database and any other correlation function in 740.
In 750, when battery further exhausts, fire compartment wall and anti-virus function are down to minimum gradually.With reference to Fig. 5, described and be down to gradually a minimum example hereinbefore, wherein reduced to threaten descriptive data base, so that expend in the system resource solving in the security risk that possibility is lower, reduced.By only focusing on those risks the most relevant to current application program type or only focusing on those application-specific that are arranged on portable information apparatus 10, can more effectively utilize the system resource expending in fail safe.
When battery continues further to exhaust, in 760, disabled position is determined and response function and communication function, with keeping system resource only for most important fire compartment wall and anti-malware function.Some time, need judgement be by each safety function all forbidding with keeping system resource only for the application program moved or can not accept to make application program to have no operation on portable information apparatus 10 safely.Correspondingly, in one embodiment, when battery reaches critical low electric weight (such as 10%), device carries out unsafe operation by reminding user mandate.In related embodiment, in the different safety system forbidding stages, provide user notification, thereby make user can adjust the behavior of the resource management of portable information apparatus 10.
, there is the in fact proper method of unlimited amount in various aspects imagination of the present invention, these methods can be built into according to different inputs and configure security module 400 in the decision criteria of configuration determination module 460.And, can realize many modification of the Configuration Type of security module 400.Therefore, should be not above described in claims and restriction outside will limit the invention to any concrete example expressivity example as herein described.
Each embodiment is intended to as exemplary and non-limitative illustration above.Other embodiment is also in the scope in claims.In addition,, although set forth various aspects of the present invention with reference to specific embodiment, those skilled in the art will realize that and can under the condition that does not deviate from the spirit of the present invention that defined by claims and scope, make the variation in form and details.
One of ordinary skill in the art will recognize, the feature that the present invention comprises can be less than the feature shown in above-mentioned arbitrary indivedual embodiment.Embodiment described herein does not really want as the exhaustive of the combining form of different characteristic of the present invention is shown.Therefore, embodiments of the invention are not the alternative combination of each feature; But as those skilled technical personnel to understand the general, the present invention can comprise the combination of the indivedual features of difference that are selected from different indivedual embodiment.
Above with way of reference, being incorporated to of any document is all restricted to the contrary subject matter of this paper clearly disclosed content of institute and is not all incorporated herein.Above with way of reference, being incorporated to of any document is further restricted to the claim being comprised in these documents is not incorporated herein.Above with way of reference, being incorporated to of any document is also restricted to and makes any definition of being provided in these documents not incorporated herein by reference, unless clearly comprised in this article this definition.

Claims (19)

1. a massaging device with the safeguard protection of capable of dynamic configuration, described device comprises:
Configurable security module for according to the configuration of operation set point, provides security-related function in described massaging device;
Risk evaluation module, one group of current safety risk of bearing for the described massaging device of reappraising;
Computing capability determination module, is used to the operation of described massaging device to reappraise and expects relevant computing capability availability to use and performance; And
Security configuration module, according to the described one group of current safety risk from described risk evaluation module and according to the current state of the computing capability availability of the dynamic change from described computing capability determination module, the operation set point of security module described in dynamic-configuration automatically, wherein said security configuration module comprises configuration determination module and configuration setting module:
Described configuration determination module, for one group of security-related function from by the described one group of current safety risk in response to from described risk evaluation module and to described security module configuration, determine the subset of main safety function and the subset of less important safety function relevant to described one group of current safety risk; And
Described configuration setting module, for setting the configuration of described operation set point, to be while indicating computing capability availability to reduce with respect to last computing capability availability in described computing capability availability, the calculated load that is made the operation because of described configurable security module cause on described computer circuits by the subset of the described less important safety function of described configuration setting module forbidding reduces, thereby when carrying out the subset of described main safety function in described configurable security module when, be conducive to described massaging device corresponding to described use and the expectable operation of property.
2. massaging device as claimed in claim 1, it is characterized in that, security configuration module is little by little forbidden security-related function by the function according to from less important to the order of main function, the sign reducing gradually in response to computing capability and little by little configure the operation set point of described security module, to be kept for the computing capability of the non-safety function of described massaging device.
3. massaging device as claimed in claim 2, it is characterized in that, described configurable security module is stored a plurality of threats definition and defines to scan at least one in described data storage and network traffics according to described a plurality of threats whether have security threat, and wherein said computing capability determination module carries out the subset that quantity that the threat of described scanning defines is forbidden described less important safety function according to this by reducing.
4. massaging device as claimed in claim 2, it is characterized in that, described configurable security module is optionally carried out the combination of different safety functions, and wherein said computing capability determination module, by selecting thin client mode so that most of safety function is carried out on remote server for described configurable security module, is forbidden the subset of described less important safety function.
5. massaging device as claimed in claim 1, is characterized in that, described risk evaluation module comprises:
Position determination module, in order to determine and the indication to the current location of described massaging device be provided; And
Summary data storehouse, position, the security risk summary info that comprises a plurality of localized networks in a plurality of geographical position;
The described indication of wherein said risk evaluation module utilization to described current location, according to the risk summary info corresponding to described current location comprising in summary data storehouse, described position, assesses the current safety risk that described massaging device bears.
6. massaging device as claimed in claim 1, it is characterized in that, described computing capability determination module is assessed the current demand to computational resource according at least one monitored parameter of the group of the free following composition of choosing: system configuration information, running state information, or its arbitrary combination.
7. massaging device as claimed in claim 1, it is characterized in that, described computing capability determination module is assessed available computational resource according at least one parameter of the group of the free following composition of choosing: the application program of using, network traffics, processor is idle, the memory space of distributing, available memory space in described data storage, the situation of the veneer energy, or its arbitrary combination.
8. massaging device as claimed in claim 1, is characterized in that, further comprises:
User preference module, for obtaining freely at least one parameter of the group of following composition of choosing: security risk tolerance information, user experience requirement, or its arbitrary combination from user;
Wherein said security configuration module is according to the operation set point of security module described in described at least one parameter configuration.
9. massaging device as claimed in claim 1, it is characterized in that, described risk evaluation module is suitable for assessing according at least one parameter of the group of the free following composition of choosing the security risk that described massaging device is current born: the relevant historical of described massaging device, global safety situation information, user preference information, the application program of installing or moving on described massaging device, or its arbitrary combination.
10. massaging device as claimed in claim 1, is characterized in that, described one group of security-related function comprises from Generally Recognized as safe function until more nearly corresponding to the multi-level ergasia of the particular security functionality of described one group of current safety risk; And
The subset of wherein said major function is the level being selected from described multi-level system corresponding to the current state of described computing capability availability.
11. 1 kinds are beneficial to for massaging device is configured to automatically the method that realizes availability when providing safeguard protection for described massaging device, and described method comprises:
Utilize calculation element, automatically assess one group of current safety risk that described massaging device bears;
In response to assessing the assessment result of described one group of current safety risk that described massaging device bears, utilize described calculation element automatically to determine by the one group of safety function in described massaging device, security module being configured, to protect described massaging device;
Utilize described calculation element, from described one group of safety function, automatically the reappraise subset of main safety function and the subset of less important safety function relevant to described one group of current safety risk;
Utilizing described calculation element, is automatically the operation of the described massaging device current computing capability availability relevant to the expection of use and performance of reappraising; And
Utilize described calculation element, according to assessing the described assessment result of described one group of current safety risk that described massaging device bears and according to the result of reappraising to the described current computing capability availability relevant to use and performance expection of reappraising for the operation of described massaging device, the dynamic-configuration below automatically moving on described massaging device:
When the result indication of reappraising described in the described current computing capability availability relevant to use and performance expection of reappraising for the operation of described massaging device is calculated to capability availability with respect to last computing capability availability reduction, forbid the subset of described less important safety function and the calculated load that the operation because of described configurable security module causes on described massaging device is reduced, thereby when when described massaging device is carried out the subset of described main safety function, be conducive to described massaging device corresponding to described use and the expectable operation of property.
12. methods as claimed in claim 11, is characterized in that, further comprise:
Utilize described calculation element, automatically determine and the indication to the current location of described massaging device is provided; And
Utilize described calculation element, in summary data storehouse, position, automatically search described current location, the security risk summary info that summary data storehouse, described position comprises a plurality of localized networks in a plurality of geographical position; And
Wherein automatically assessing described one group of security risk that described massaging device bears is the risk summary info corresponding to described current location comprising based in summary data storehouse, described position.
13. methods as claimed in claim 12, is characterized in that, the current location of automatically determining described massaging device comprises at least one in following of operation:
GPS receiver; And
Network topology analyzer.
14. methods as claimed in claim 11, further comprise:
Store a plurality of threats definition, and define at least one in scan data memory and network traffics whether to have any security threat according to described a plurality of threats; And
The subset of the described less important safety function of wherein said forbidding comprises that minimizing carries out the quantity of the threat definition of described scanning according to this.
15. methods as claimed in claim 11, it is characterized in that, described massaging device is carried out at least one in following: describedly automatically assess one group of current safety risk, described automatically definite by one group of safety function to security module configuration in described massaging device, the described subset of described main safety function and the subset of described less important safety function of automatically reappraising, the described computing capability availability of automatically reappraising, and describedly automatically move described dynamic-configuration.
16. methods as claimed in claim 11, it is characterized in that, the described computing capability of automatically reappraising comprises according at least one monitored parameter of the group of the free following composition of choosing assesses the current demand to computational resource: the application program of using on described massaging device, be to and from the network traffics of described massaging device, the processor of described massaging device is idle, the memory space of distributing on described massaging device, or its arbitrary combination.
17. methods as claimed in claim 11, is characterized in that, determine that described computing capability comprises according to the situation of the battery of described massaging device to assess available computational resource.
18. methods as claimed in claim 11, is characterized in that, further comprise:
By described calculation element, from described user, obtain at least one parameter, described parameter choosing is the group of following composition freely: security risk tolerance information, user experience requirement, or its arbitrary combination;
Wherein configuring described security module is to carry out according to described at least one parameter.
19. methods as claimed in claim 11, is characterized in that, automatically assessing described one group of current safety risk is to carry out according to the application program of installing on described massaging device or moving.
CN200910135011.XA 2008-12-02 2009-04-14 Information device with security protection capable of dynamically configuring and method for automatically configuring information device Active CN101753554B (en)

Applications Claiming Priority (6)

Application Number Priority Date Filing Date Title
US11923708P 2008-12-02 2008-12-02
US61/119,237 2008-12-02
US14209208P 2008-12-31 2008-12-31
US14208808P 2008-12-31 2008-12-31
US61/142,088 2008-12-31
US61/142,092 2008-12-31

Publications (2)

Publication Number Publication Date
CN101753554A CN101753554A (en) 2010-06-23
CN101753554B true CN101753554B (en) 2014-05-07

Family

ID=42479963

Family Applications (2)

Application Number Title Priority Date Filing Date
CN2009201498038U Expired - Lifetime CN201821502U (en) 2008-12-02 2009-04-14 Information device with security structure capable of being configured dynamically
CN200910135011.XA Active CN101753554B (en) 2008-12-02 2009-04-14 Information device with security protection capable of dynamically configuring and method for automatically configuring information device

Family Applications Before (1)

Application Number Title Priority Date Filing Date
CN2009201498038U Expired - Lifetime CN201821502U (en) 2008-12-02 2009-04-14 Information device with security structure capable of being configured dynamically

Country Status (2)

Country Link
CN (2) CN201821502U (en)
HK (1) HK1143474A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105590056B (en) 2014-10-22 2019-01-18 中国银联股份有限公司 Dynamic application function control method based on environment measuring

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003081932A1 (en) * 2002-03-27 2003-10-02 Nokia Corporation Multiple security level mobile telecommunications device, system and method
CN101018119A (en) * 2007-02-09 2007-08-15 浪潮电子信息产业股份有限公司 Hardware-based server network security centralized management system without relevance to the operation system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7526800B2 (en) * 2003-02-28 2009-04-28 Novell, Inc. Administration of protection of data accessible by a mobile device
US7908660B2 (en) * 2007-02-06 2011-03-15 Microsoft Corporation Dynamic risk management

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003081932A1 (en) * 2002-03-27 2003-10-02 Nokia Corporation Multiple security level mobile telecommunications device, system and method
CN101018119A (en) * 2007-02-09 2007-08-15 浪潮电子信息产业股份有限公司 Hardware-based server network security centralized management system without relevance to the operation system

Also Published As

Publication number Publication date
HK1143474A1 (en) 2010-12-31
CN201821502U (en) 2011-05-04
CN101753554A (en) 2010-06-23

Similar Documents

Publication Publication Date Title
CN102164148B (en) Group security for portable information device
US7788720B2 (en) Techniques for providing security protection in wireless networks by switching modes
US7607174B1 (en) Adaptive security for portable information devices
US7584508B1 (en) Adaptive security for information devices
KR101501669B1 (en) Behavior detection system for detecting abnormal behavior
US8635661B2 (en) System and method for enforcing a security policy on mobile devices using dynamically generated security profiles
EP2068525B1 (en) Method and system for providing wireless vulnerability management for local area computer networks
CN103023867B (en) Portable secure device and method for dynamically configuration network security setting
Hongsong et al. Security and trust research in M2M system
CN101933057A (en) Mobile system and method for remote control and viewing
Raponi et al. Intrusion detection at the network edge: Solutions, limitations, and future directions
Granjal et al. An Intrusion Detection and Prevention Framework for Internet‐Integrated CoAP WSN
RU101231U1 (en) MOBILE COMPUTER DEVICE SECURITY MANAGEMENT SYSTEM
EP3072077B1 (en) Context-aware proactive threat management system
EP2207322B1 (en) Adaptive security for information devices
Uplap et al. Review of heterogeneous/homogeneous wireless sensor networks and intrusion detection system techniques
Khanpara et al. Security in mobile ad hoc networks
CN101753554B (en) Information device with security protection capable of dynamically configuring and method for automatically configuring information device
Grottke et al. WAP: Models and metrics for the assessment of critical-infrastructure-targeted malware campaigns
EP2207323B1 (en) Adaptive security for portable information devices
Das et al. Smart City Vulnerabilities: An Overview
KR101500448B1 (en) Nonnormal access detection method using normal behavior profile
Aravamudhan et al. A survey on intrusion detection system and prerequisite demands in IoT networks
Chen et al. Addressing data and user mobility challenges in the cloud
Sabir et al. A Systemic Security and Privacy Review: Attacks and Prevention Mechanisms Over IoT Layers

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 1143474

Country of ref document: HK

C14 Grant of patent or utility model
GR01 Patent grant
REG Reference to a national code

Ref country code: HK

Ref legal event code: GR

Ref document number: 1143474

Country of ref document: HK